Xero - beautiful accounting software

Xero Business Community

Xero Business Community

Hi everyone, Come on over to the new discussions in Xero Central. It’s a more intuitive way to connect and chat all things business with one another. Ask questions, dish out answers, and get involved.

You can still view topics in the Xero Business Community to see all the useful knowledge that’s been shared there; and you can restart conversations you feel have been of huge value to you on Xero Central.

If you have brilliant ideas for innovations, you can keep on adding feature requests in the Xero Business Community, and voting on existing requests. There’s more in store, as we come up with the best way to take on your thoughts and share developments
Community > Feature Requests >

Email Settings - Set up SPF Record

Started by Trevor Spink in Feature Requests | No plans

We really should have information on setting up an SPF record as you are sending out email from our domain
Hey - in this case were you looking for specific steps for setting up your record or do you already know that and just need the mail server address? I understand the set up is different on every system - would be interested to know if others run into this? Otherwise if you need the host/IP address, could you please contact support - we'd rather pass it out via case. Thanks.

Catherine Walker (Community Manager)

Please can you post details of your mail servers so that we can add SPF records correctly. There is no good reason not to have this information publicly available.

Adam Cooke

Hi Adam,

You can simply include the Xero record in your own SPF record: http://www.openspf.org/SPF_Record_Syntax#include

e.g. include:xero.com

That way when we change or add IP addresses, your SPF record will automatically include them.



Kirk J

Wow, this is a good topic. I think the accountants bringing people on should add this to their checklist, hopefully stop anything going to SPAM

Greg Wood

Thanks for the include:xero.com tip. And yes I agree with Adam that there is no reason not to publish this information. If you're relying on keeping mailserver IP addresses secret as a form of protection then we're in serious trouble...

Mark Stockley

To be honest, I would much prefer that mail is sent using your own SPF & DKIM records rather than simply trying to send mail as our addresses (which is prone to being blocked). This doesn't mean the mail can't appear to be from our addresses, it just means that some mail clients would include a "sent via." message. This approach would also allow you to track bounces & delivery failures more accurately.

To add to that, when using multiple organisations you have to send all outbound mail as your user's email address which means I can't send invoices from my second organisation because they would be sent from the first organisations address.

Adam Cooke

Edit: sorry Kirk, you were correct. include:xero.com is correct for the spf entry as it includes the SPF record for all IP addresses including mail.go.xero.com.


Jared Pomranky

Actually, I think this whole thread is misleading, particularly the post by the Xero staff member.

SPF should be used to check the Sender of an email, not the From: line. It effectively checks the Envelope From from the SMTP session.

In a mail sent by Xero, the Envelope From is 3e9.4.CzjqngLV30aA7mnsbb5grA@notifications.xero.com (presumably the first part helps Xero check bounces). notifications.xero.com will be checked for an SPF record and the receiving MTA will discover that there is no SPF.

As the xero.com SPF record includes most of Microsoft, including Hotmail, it would be a very bad idea for Xero customers to include it.

Cliff Stanford

It looks like Xero does indeed use SPF:

xero.com. 51413 IN TXT "MS=ms88298519"
xero.com. 51413 IN TXT "google-site-verification=49KGc0SDQ7vAXUdLMYoGS6OKwS2GX-g-cHSd7_GxdEo"
xero.com. 51413 IN TXT "v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: mx include:_spf.elasticemail.com include:cmail1.com include:outlook.com include:xero365.onmicrosoft.com ?all"

Perhaps this wasn't the case a month ago.

Mike Bordignon

Unfortunately the spf record for xero.com is invalid (has 14+ dns lookups) and the RFC says that MUST trigger a PermError return (tested with tools from openspf.org)

see: http://support.sendgrid.com/entries/251819-SPF-Don-t-Exceed-Ten-DNS-Lookups- and http://www.openspf.org/RFC_4408#processing-limits

What spf record should I use that covers emails generated by a user (eg outgoing invoices), but doesn't include anything that only staff at xero.com could generate?

(Preferably with no more than 3 dns lookups, as my client already uses three other services resulting in 7 dns lookups)

Ian Heggie

I've just found that including xero.com's SPF had caused my SPF record to become invalid (too many DNS lookups), so after a bit of digging I changed it to read:
v=spf1 include:spf.protection.outlook.com a:_spf.xero.com a:remote.mydomain.com ~all

I'm not yet convinced this is right (hence the ~ soft fail) but at least now the DNS lookup count isn't exceeded. I can see this being a problem into the future, anyone using outlook365 already has a huge number of DNS lookups just because of the way Microsoft nests theirs.

Jeremy Sherriff

Just wanted to confirm for you all here. We actually made a change a while back which means we no longer need users to set up SPF filtering at all.

Emails sent from Xero are now sent from message-service@post.xero.com, so we aren't impersonating the logged in user.
When a recipient responds to these emails, the reply will go to whatever is set up in the Email Settings.

I'm going to close this thread, but please do feel free to reach out to Support if you have any further questions about this.

Kelly M (Community Manager)


What about domain keys? we've just added one for email, will xero's emails still work?

Alistair Snowie

How on earth is this a fix/resolution!?

As a customer I want to maintain a single brand, clients should receive mails from my domain and configuring the spf records correctly is key to achieve this

Christopher Rimmer